10 Practical Ways to Improve Risk Management

Experts maintain that the turbulent economy has pushed risk management to the forefront, as companies look at how it contributed to the crisis and how it can be used now as an opportunity to rise above it.

While risk management’s shortcomings may have contributed to the financial turmoil, with proper refocusing from lessons learned in the crisis, the discipline may now hold the key to helping avoid similar problems in the future, notes a report released in March.

“If you were a leader or risk officer at any financial services company over the past year, you learned painful lessons about the importance of protecting both sides of the balance sheet,” noted Sean Ringsted, ACE Group’s chief risk officer and chief actuary. “A successful response to these lessons will help set the financial sector and the global economy on a more stable future course.”

The report, “Managing Risk in Perilous Times: Practical Steps to Accelerate Recovery,” was conducted the Economist Intelligence Unit and sponsored by the global commercial property/casualty firm the ACE Group, KPMG, SAP and Towers Perrin. It comprised interviews with financial sector participants, senior risk professionals and independent experts, combining a study of current academic and industry thinking on risk management. The report, in its final form, revealed 10 practical ways to address current weaknesses in risk management.

The steps outlined in the report include:

1. Senior executives must lead risk management from the top. Leadership and tone from the most senior level are essential. There should be appropriate board oversight of risk, usually through the audit committee or a risk committee. And the chief executive, as the “owner” of risk, must be seen to elevate the authority of risk management and build a pervasive risk culture.

2. Risk management must be given greater authority. Even if risk managers have the right tools, information and expertise at their disposal, this counts for nothing if they do not have sufficient authority to escalate concerns and curb excessive risk-taking. To address this problem, senior executives should ensure that risk managers have appropriate stature within the organization, and that this is thoroughly understood by the lines of business.

3. Institutions need to review the level of risk expertise in their organization, particularly at the highest levels. Financial institutions must be confident that they have sufficient risk expertise at the most senior level. Both board-level executives and non-executives should have the tools and information at their disposal to understand the institution’s risk appetite and positions.

4. Institutions should pay more attention to the data that populates risk models, and must combine this output with human judgment. No matter how sophisticated, models are limited by the quality of the data feeding them. Even with the best available data, no risk management tool should be used in isolation, and quantitative methods should always be backed up with qualitative approaches and the vital inputs of human judgment and dialogue.

5. Stress testing and scenario planning can arm executives with an appropriate response to events. Stress testing must be integrated with the firm’s overall risk management processes, and mechanisms developed to ensure that the results are communicated to senior management in such a way that it is possible for them to formulate a clear response.

6. Incentive systems must be constructed so that they reward long-term stability, not short-term profit. Certain aspects of the bonus culture and remuneration models for senior financial services executives may need to be overhauled, with some of the rewards being withheld to match the maturity of the underlying business.

7. Risk factors should be consolidated across all the institution’s operations. Conversations about risk appetite and risk capacity should not be restricted to the risk function, but should take place throughout the organization. Equally, risk management should be tightly integrated into operations, and lines of communication should be clear enough that changes in risk levels can be escalated to the correct layer of authority before mitigation becomes impossible.

8. Institutions should ensure that they do not rely too heavily on data from external providers. Financial institutions must address their over-dependence on credit ratings, and supplement ratings with their own analysis, which should be continuously updated over the entire period of the investment.

9. A careful balance must be struck between the centralization and decentralization of risk. A central risk function, determined at a senior level, is essential in order to set risk appetite, implement and monitor controls and provide oversight of the firm’s risk position. But this must also be combined with an approach whereby risk is embedded in the regional office or business unit, such that each profit center has ownership of its own risks.

10. Risk management systems should be adaptive rather than static. The scale and unique nature of the problems that befell the financial markets in late 2008 illustrates the need to conduct continuous observations of the real world and feed these back into the risk management system on a regular basis. This enables the system to correct its inherent weaknesses and respond to changing business conditions.